Chore: Adding "allowed_groups" Configuration Parameter to Generic OAuth Method (#69025)

* feat: add allowed_groups for Generic OAuth

* docs: add allowed_groups more docs for Generic OAuth

pkg/login/social/generic_oauth.go

@@ -31,6 +31,23 @@ type SocialGenericOAuth struct {
 	idTokenAttributeName string
 	teamIdsAttributePath string
 	teamIds              []string
+	allowedGroups        []string
+}
+
+func (s *SocialGenericOAuth) IsGroupMember(groups []string) bool {
+	if len(s.allowedGroups) == 0 {
+		return true
+	}
+
+	for _, allowedGroup := range s.allowedGroups {
+		for _, group := range groups {
+			if group == allowedGroup {
+				return true
+			}
+		}
+	}
+
+	return false
 }
 
 func (s *SocialGenericOAuth) IsTeamMember(client *http.Client) bool {
@@ -182,6 +199,10 @@ func (s *SocialGenericOAuth) UserInfo(client *http.Client, token *oauth2.Token)
 		return nil, errors.New("user not a member of one of the required organizations")
 	}
 
+	if !s.IsGroupMember(userInfo.Groups) {
+		return nil, errMissingGroupMembership
+	}
+
 	s.log.Debug("User info result", "result", userInfo)
 	return userInfo, nil
 }

pkg/login/social/social.go

@@ -214,6 +214,7 @@ func ProvideService(cfg *setting.Cfg,
 				teamIdsAttributePath: sec.Key("team_ids_attribute_path").String(),
 				teamIds:              sec.Key("team_ids").Strings(","),
 				allowedOrganizations: util.SplitString(sec.Key("allowed_organizations").String()),
+				allowedGroups:        util.SplitString(sec.Key("allowed_groups").String()),
 			}
 		}